Strong Customer Authentication

2

Comments

  • eskbanker
    eskbanker Posts: 30,399
    First Anniversary Name Dropper Photogenic First Post
    Forumite
    Ok, so the bank said that Phone Authentication is NOT required for logging into the account.


    It is ONLY required for transactions, and alterations of important info, ie Home Address, Phone Number etc.


    I can live with that.
    Which bank told you that, and did they confirm that it definitely applies to the future scenario after SCA introduction (even if this is delayed)?

    Section 100.1(a) of the Payment Services Regulations 2017 doesn't make any such distinction regarding what the customer does once logged in and so needs to be implemented as a one-size-fits-all control to the login process.

    http://www.legislation.gov.uk/uksi/2017/752/regulation/100/made:
    Authentication

    100.—(1) A payment service provider must apply strong customer authentication where a payment service user—

    (a) accesses its payment account online, whether directly or through an account information service provider;
    (b) initiates an electronic payment transaction; or
    (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
  • grnglide
    grnglide Posts: 171 Forumite
    Which bank told you that, and did they confirm that it definitely applies to the future scenario after SCA introduction (
    I think I have been told (by Lloyds???) That the phone authentication is only required for payments, withdrawals etc which seems odd.


    Waiting for it all to pan out.


    It would be nice to have the same process for all financial institutions but that will never happen.
  • MaxiRobriguez
    MaxiRobriguez Posts: 1,780
    First Anniversary First Post Name Dropper
    Forumite
    eskbanker wrote: »
    I was thinking the same thing!

    I've found this from a European payments trade association, recommending an 18 month delay, but no indication that this has been agreed by anyone: https://www.epsm.eu/wp-content/uploads/2019/07/2019-07-10-EPSM-Press-Release-EPSM-supports-harmonised-migration-plans...-15.pdf

    I'll add this to that SCA thread on the banking board, which already includes links to the EBA and FCA statements last month that implied some delay may be sought, but as I understand it negotiations are ongoing....

    I work in a payments company and our the guys who work in our roadmap area are saying it's almost a shoein that it's an 18 month delay.
  • dividendhero
    dividendhero Posts: 2,417 Forumite
    Don't want to scare anyone, but even 2FA isn't totally secure.

    Some years back it was possible to clone an RSA keyfob - provided you manage to find it's "seed" number..of course you still had to figure the PIN.
  • masonic
    masonic Posts: 23,062
    Photogenic Name Dropper First Post First Anniversary
    Forumite
    edited 23 July 2019 at 8:24PM
    Don't want to scare anyone, but even 2FA isn't totally secure.

    Some years back it was possible to clone an RSA keyfob - provided you manage to find it's "seed" number..of course you still had to figure the PIN.
    Yes, given a sufficiently sophisticated attacker and sufficient resources, any device that fell into the hands of the attacker could be reverse engineered.

    The cryptographic keys used as seeds by key fobs can also be stolen, there would be no need to figure the PIN in this case, because the PIN is used to protect the device and you are bypassing the need for the device. The same is true of card readers, which essentially use the same mechanism for generating codes. SMS based OTP systems use the same technology, in this case only the provider has the key used to generate codes, but this method has the same weakness.

    The main difficulty would be in determining which account was being protected by the key fob, which would typically involve hacking the bank (even if they were using a third party service like RSA, only they would be able to marry up account and key fob). This is a much less common occurrence than information being stolen from individual customers and banks would argue they take other measures to mitigate such risks.

    Despite the above RSA ended up giving out replacement tokens for nearly all of its customers following its famous hack in 2011. It is believed that hack was a combination of the theft of RSA's database linking device serial numbers to the seeds, and subsequent attacks on RSA's customers whose device serial numbers they were able to determine.

    No single security measure is without weakness, which is why it is necessary to have multiple layers of security.
  • quaybab
    quaybab Posts: 115
    First Anniversary Combo Breaker First Post
    Forumite
    Apart from new EU regulations (haha, you though democracy existed and the UK electorate voted to leave europe - your wrong) + its actually due to customers being responsible for most bank fraud.

    You don't need SCA to setup a direct debit and neither do you need it to use the current account switching service!
    I don't see the point of this as universal real time banking doesn't exist - it takes upto 3 days for a transaction to appear on your credit card!
  • eskbanker
    eskbanker Posts: 30,399
    First Anniversary Name Dropper Photogenic First Post
    Forumite
    quaybab wrote: »
    Apart from new EU regulations (haha, you though democracy existed and the UK electorate voted to leave europe - your wrong) + its actually due to customers being responsible for most bank fraud.
    Perhaps that sentence made sense in your head?

    While it's an obvious and cheap shot to point the finger at a comfortably familiar bogeyman when looking for a scapegoat for something you don't like, are you suggesting that the UK will seek to repeal this legislation once out of the EU?
    quaybab wrote: »
    You don't need SCA to setup a direct debit and neither do you need it to use the current account switching service!
    Do you believe that either of those activities is associated with significant levels of fraud?
    quaybab wrote: »
    I don't see the point of this as universal real time banking doesn't exist - it takes upto 3 days for a transaction to appear on your credit card!
    What does that have to do with improving controls around initiating transactions?
  • Well, it's started. On Friday, I could not log in to a NatWest business account because the battery in the card reader I haven't needed for years has died. It'll take three working days before they can send me one. I might be able to access the account next week. Nationwide tell me I'll be able to use my debit card and reader to see details of my credit card account but how that's going to help if I need to authorise a credit card transaction is beyond me and, so far, them. Surely the most straightforward solution would be to send the customer an e-mail with a one-time password: They're at an internet-connected device either trying to log on to internet banking or complete a transaction. I rather like the Coventry Building Society's low-tech answer (which was introduced well before SCA was dreamed up). It's a "grid card" - a 10X5 card with numbers in the boxes. To log in, you are asked for your customer ID, some letters from your password and some digits off the card. Most of the banks seem to have ignored the Payment Industry Intelligence bulletin dated 31JAN2019 [I can't post a link to paymentscardsandmobileDOTcomFORWARD SLASH psd2-strong-customer-authentication] which points out that financial organisations opting for a "one size fits all" solution were going to get adverse reactions. Two paragraphs are of particular relevance:- "Pushing a Specific Authentication Method Will Cause Issues" and "There Are Many Impediments to Authentication". There are numerous areas in the UK where a mobile telephone signal is unavailable. My brother-in-law lives about 20 miles NE of Taunton: To get a signal, he has to go to the end of the garden. A couple of years ago, my wife and I holidayed in West Cornwall: She needed to drive 5 miles to get a signal. Rather than ranting, we need to organise a co-ordinated push on the banks to provide alternative options.
  • masonic
    masonic Posts: 23,062
    Photogenic Name Dropper First Post First Anniversary
    Forumite
    JustJohn wrote: »
    Well, it's started. On Friday, I could not log in to a NatWest business account because the battery in the card reader I haven't needed for years has died. It'll take three working days before they can send me one. I might be able to access the account next week. Nationwide tell me I'll be able to use my debit card and reader to see details of my credit card account but how that's going to help if I need to authorise a credit card transaction is beyond me and, so far, them.
    So you have a working Nationwide card reader? Have you tried using that with your Natwest card? For personal accounts they are interchangeable. I don't know if business accounts use a different system.

    I have a completely unused Nationwide card reader as I've always used my Natwest reader with my Nationwide card.
  • Aminatidi
    Aminatidi Posts: 532
    First Anniversary Name Dropper First Post
    Forumite
    A lot of people are woefully lazy/daft with the security they use on their email account.

    I wouldn't be comfortable with most people using it to receive an one time password for something as sensitive as a bank login.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 342.5K Banking & Borrowing
  • 249.9K Reduce Debt & Boost Income
  • 449.4K Spending & Discounts
  • 234.6K Work, Benefits & Business
  • 607.1K Mortgages, Homes & Bills
  • 172.8K Life & Family
  • 247.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.8K Discuss & Feedback
  • 15.1K Coronavirus Support Boards